Forum Home
Press F1
Thread ID: 90331	2008-05-30 20:43:00	Virtumonde Virus - explorer.exe crashes repeatedly	rpm5099 (13774)	Press F1

Post ID	Timestamp	Content	User
674081	2008-05-30 22:06:00	no, rebooted and still not removed. explorer still has continual restarts.	rpm5099 (13774)
674082	2008-05-30 22:09:00	Are we talking about my computer or internet explorer crashing? Theyre different things	Speedy Gonzales (78)
674083	2008-05-30 22:14:00	explorer.exe - entire desktop and taskbar. crashes, restarts itself, crashes again until it eventually stops restarting.	rpm5099 (13774)
674084	2008-05-30 22:21:00	Try clicking on the more info, or info link, whatever its called in the window that comes up when it crashes. Bottom right I think. Instead of closing it That'll at least, tell us whats crashing it Or go to control panel / admin tools / event viewer. Go to application / system (probably the 1st 1) Find the entry / time it crashed. Dbl click on it. Click on the icon under the down arrow paste it here	Speedy Gonzales (78)
674085	2008-05-30 23:39:00	Well I think the Trojan removertook care of it but heres the logs just in case: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:49:30, on 5/30/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\jmy1.exe C:\WINDOWS\system32\nvraidservice.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\jmy1.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - C:\WINDOWS\system32\mlJApQkj.dll (file missing) O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: (no name) - {2F585198-0585-426D-A821-CB8C1FA5E99F} - C:\WINDOWS\system32\mlJBqRKC.dll (file missing) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {602F0220-1AF3-4869-8749-01DCC10AFB60} - C:\WINDOWS\system32\rqRLfDUl.dll (file missing) O2 - BHO: (no name) - {65A24242-5104-493F-9449-8F5D7608C801} - C:\WINDOWS\system32\awtqqoMD.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {E32419F2-A132-4BBE-8392-B2761E396CD8} - C:\WINDOWS\system32\mlJDsRJc.dll (file missing) O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{F81C2365-6A74-4247-BD57-D0FC684D3ABE}: NameServer = 192.168.100.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: mlJApQkj - mlJApQkj.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 5975 bytes ***** TROJAN REMOVER HAS RESTARTED THE SYSTEM ***** 5/30/2008 5:48:36 PM: Trojan Remover has been restarted C:\WINDOWS\system32\mlJApQkj.dll - file ownership assigned to MAINTHEBRUCE\Robbie C:\WINDOWS\system32\mlJApQkj.dll - RAW erasure required C:\WINDOWS\system32\mlJApQkj.dll has been renamed to C:\WINDOWS\system32\mlJApQkj.dll.vir 5/30/2008 5:48:36 PM: Trojan Remover closed ************************************************** ********** ***** TROJAN REMOVER HAS RESTARTED THE SYSTEM ***** 5/30/2008 5:46:37 PM: Trojan Remover has been restarted C:\WINDOWS\system32\mlJApQkj.dll - file ownership assigned to MAINTHEBRUCE\Robbie -------------------------------------------------- The system must be restarted one more time to complete the file operations. Trojan Remover is restarting the system. -------------------------------------------------- 5/30/2008 5:47:12 PM: Trojan Remover closed ************************************************** ********** ***** DRIVE/DIRECTORY SCAN ***** Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com [Unregistered version] Scan started at: 4:46:53 PM 30 May 2008 Using Database v7012 Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)] File System: NTFS Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** PC appears to be in SAFE MODE with Network Support. ************************************************** Carrying out scan on C:\ (including subdirectories) Archive files will be EXCLUDED. ------------------------------ C:\Documents and Settings\Robbie\Local Settings\Temporary Internet Files\Content.IE5\A2TL4VVQ\css4[1] appears to contain: Adware.VrtuMonde C:\Documents and Settings\Robbie\Local Settings\Temporary Internet Files\Content.IE5\A2TL4VVQ\css4[1] - file renamed to: C:\Documents and Settings\Robbie\Local Settings\Temporary Internet Files\Content.IE5\A2TL4VVQ\css4[1].vir C:\WINDOWS\system32\mlJApQkj.dll appears to contain: Adware.VirtuMonde C:\WINDOWS\system32\mlJApQkj.dll - file ownership assigned to: MAINTHEBRUCE\Robbie C:\WINDOWS\system32\mlJApQkj.dll - file backed up to C:\WINDOWS\system32\mlJApQkj.dll.vir C:\WINDOWS\system32\mlJApQkj.dll - file has been neutralised C:\WINDOWS\system32\mlJApQkj.dll - file ownership assigned to: MAINTHEBRUCE\Robbie Previously renamed file C:\WINDOWS\system32\mlJApQkj.dll.vir has been deleted C:\WINDOWS\system32\mlJApQkj.dll - file ownership assigned to: MAINTHEBRUCE\Robbie C:\WINDOWS\system32\mlJApQkj.dll - file backed up to C:\WINDOWS\system32\mlJApQkj.dll.vir C:\WINDOWS\system32\mlJApQkj.dll - file has been neutralised C:\WINDOWS\system32\mlJApQkj.dll - marked for renaming when the PC is restarted C:\WINDOWS\system32\mlJBqRKC.dll appears to contain: Adware.VirtuMonde (Heuristic Detection) C:\WINDOWS\system32\mlJBqRKC.dll - file renamed to: C:\WINDOWS\system32\mlJBqRKC.dll.vir C:\WINDOWS\system32\CKRqBJlm.ini - HIDDEN and SYSTEM file attributes removed C:\WINDOWS\system32\CKRqBJlm.ini, associated with Adware.VirtuMonde, has been deleted C:\WINDOWS\system32\CKRqBJlm.ini2 - HIDDEN and SYSTEM file attributes removed C:\WINDOWS\system32\CKRqBJlm.ini2, associated with Adware.VirtuMonde, has been deleted C:\WINDOWS\system32\rqRLfDUl.dll appears to contain: Adware.VirtuMonde (Heuristic Detection) C:\WINDOWS\system32\rqRLfDUl.dll - file renamed to: C:\WINDOWS\system32\rqRLfDUl.dll.vir C:\WINDOWS\system32\lUDfLRqr.ini - HIDDEN and SYSTEM file attributes removed C:\WINDOWS\system32\lUDfLRqr.ini, associated with Adware.VirtuMonde, has been deleted C:\WINDOWS\system32\lUDfLRqr.ini2 - HIDDEN and SYSTEM file attributes removed C:\WINDOWS\system32\lUDfLRqr.ini2, associated with Adware.VirtuMonde, has been deleted ------------------------------ 71072 files scanned 4 Malware file(s) detected Scan completed at: 5:43:48 PM 30 May 2008 ------------------------------------------------------------------------- One or more files could not be moved or renamed as requested. They may be in use by Windows, so Trojan Remover needs to restart the system in order to deal with these files. 5/30/2008 5:44:10 PM: restart commenced ************************************************** ********** ***** WINDOWS EXPLORER POLICIES RESET ***** Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com [Unregistered version] Scan started at: 4:46:34 PM 30 May 2008 Using Database v7012 Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)] File System: NTFS Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** PC appears to be in SAFE MODE with Network Support. ************************************************** Checking for HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System - this key has been removed ---------- Checking for HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\NonEnum - no action required on this key as it does not exist Checking for HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} - no action required: value either does not exist or is set to False Checking for HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} - no action required: value either does not exist or is set to False ---------- Checking for HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\DisallowRun - no action required on this key as it does not exist ---------- Checking Values in: HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer Value: DisallowRun - value does not exist, no action required Value: NoActiveDesktopChanges - value does not exist, no action required Value: NoActiveDesktop - not set, no action required Value: NoFileMenu - value does not exist, no action required Value: NoClose - value does not exist, no action required Value: NoDesktop - value does not exist, no action required Value: NoDrives - value does not exist, no action required Value: NoFind - value does not exist, no action required Value: NoFolderOptions - value does not exist, no action required Value: NoRun - value does not exist, no action required Value: NoFavoritesMenu - value does not exist, no action required Value: NoRecentDocsMenu - value does not exist, no action required Value: NoSetFolders - value does not exist, no action required Value: NoControlPanel - value does not exist, no action required Value: NoNetHood - value does not exist, no action required Value: NoToolbarCustomize - value has been removed ---------- Checking Values in: HKCU\Control Panel\Desktop ---------- Checking HKCU ActiveDesktop Policies: ---------- Checking HKCU Add/Remove Programs Policies: ---------- Checking for HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\DisallowRun - no action required on this key as it does not exist ---------- Checking Values in: HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer Value: DisallowRun - value does not exist, no action required Value: NoActiveDesktopChanges - value does not exist, no action required Value: NoActiveDesktop - not set, no action required Value: NoFileMenu - value does not exist, no action required Value: NoClose - value does not exist, no action required Value: NoDesktop - value does not exist, no action required Value: NoDrives - value does not exist, no action required Value: NoFind - value does not exist, no action required Value: NoFolderOptions - value does not exist, no action required Value: NoRun - value does not exist, no action required Value: NoFavoritesMenu - value does not exist, no action required Value: NoRecentDocsMenu - value does not exist, no action required Value: NoSetFolders - value does not exist, no action required Value: NoControlPanel - value does not exist, no action required Value: NoNetHood - value does not exist, no action required Value: NoToolbarCustomize - value has been removed ---------- Checking HKLM ActiveDesktop Policies: ---------- Checking HKLM Add/Remove Programs Policies: ---------- ************************************************** ********** ***** LAYERED SERVICE PROVIDER CHECKS ***** Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com [Unregistered version] Scan started at: 4:46:30 PM 30 May 2008 Using Database v7012 Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)] File System: NTFS Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** PC appears to be in SAFE MODE with Network Support. ************************************************** No errors were located in the Layered Service Provider Registry entries. No action was taken. ************************************************** ********** ***** WINDOWS UPDATE POLICIES RESET ***** Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com [Unregistered version] Scan started at: 4:46:23 PM 30 May 2008 Using Database v7012 Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)] File System: NTFS Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** PC appears to be in SAFE MODE with Network Support. ************************************************** No invalid Windows Update Policies found to reset. ************************************************** ********** ***** WINDOWS HOSTS FILE RESET ***** Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com [Unregistered version] Scan started at: 4:46:19 PM 30 May 2008 Using Database v7012 Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)] File System: NTFS Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** PC appears to be in SAFE MODE with Network Support. ************************************************** C:\WINDOWS\system32\DRIVERS\ETC\HOSTS has been copied to C:\WINDOWS\system32\DRIVERS\ETC\HOSTS.TRB The default HOSTS file was successfully reset. ************************************************** ********** ***** INTERNET EXPLORER HOME/START/SEARCH PAGE AND POLICY RESTRICTIONS RESET **** Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com [Unregistered version] Scan started at: 4:46:13 PM 30 May 2008 Using Database v7012 Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)] File System: NTFS Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\ Program directory: C:\Program Files\Trojan Remover\ Running with Administrator privileges ************************************************** PC appears to be in SAFE MODE with Network Support. ************************************************** Existing Home/Start/Search Page settings are as follows: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page": go.microsoft.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page": %SystemRoot%\system32\blank.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page": go.microsoft.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL": go.microsoft.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL": go.microsoft.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch": ie.search.msn.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant": ie.search.msn.com HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page": http://www.google.com/ HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page": C:\WINDOWS\system32\blank.htm HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page": www.microsoft.com These settings will now be reset to their defaults: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\"NoToolbarCustomize" policy reset to default HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\"NoBandCustomize" policy reset to default HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL" has been reset HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL" has been reset HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page" has been reset HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page" has been reset HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch" has been reset HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant" has been reset HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\Prefixes\"www" has been reset HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\Prefixes\"ftp" has been reset HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\Prefixes\"gopher" has been reset HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\Prefixes\"home" has been reset HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\Prefixes\"mosaic" has been reset HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\"NoToolbarCustomize" policy reset to default HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\"NoBandCustomize" policy reset to default HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL" has been reset HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page" has been reset HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page" has been reset HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Show_FullURL" has been reset HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Show_ToolBar" has been reset HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Show_URLToolBar" has been reset HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" has been reset HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Show_StatusBar" has been reset HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Show_URLinStatusBar" has been reset HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window_Placement" has been reset -------------------- ************************************************** **********	rpm5099 (13774)
674086	2008-05-30 23:42:00	btw, there was no error reporting triggered by explorer.exe crashing, the shell would just disappear and come back continually. that has stoped, so it may be fixed - what do you guys think?	rpm5099 (13774)
674087	2008-05-30 23:44:00	Its being run from the registry.This is a new season design Vundo... Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer and also those in the registry. Please visit this webpage for download links, and instructions for running ComboFix (www.bleepingcomputer.com) When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require. Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.	Pancake (6359)
1 2